psyb0t

fran.b · Février 20, 2016, 7:22pm

Hum, ça y est, psybot innonde mes logs:

[quote][…]
Apr 9 04:10:52 cerbere sshd[11228]: Invalid user admin from 89.30.129.147
Apr 9 04:11:20 cerbere sshd[11243]: Invalid user admin from 196.40.4.228
Apr 9 04:12:04 cerbere sshd[11321]: Invalid user admin from 209.44.116.98
Apr 9 04:12:51 cerbere sshd[11382]: Invalid user admin from 70.88.220.233
Apr 9 04:13:08 cerbere sshd[11408]: Invalid user admin from 216.195.56.227
Apr 9 04:13:55 cerbere sshd[11477]: Invalid user admin from 216.45.58.210
Apr 9 04:14:16 cerbere sshd[11492]: Invalid user admin from 216.195.56.227
Apr 9 04:14:58 cerbere sshd[11561]: Invalid user admin from 87.238.173.121
Apr 9 04:15:47 cerbere sshd[11649]: Invalid user admin from 208.70.79.110
Apr 9 04:16:07 cerbere sshd[11669]: Invalid user admin from 61.19.246.92
Apr 9 04:17:03 cerbere sshd[11740]: Invalid user admin from 218.241.164.34
Apr 9 04:17:17 cerbere sshd[11758]: Invalid user admin from 64.27.3.161
Apr 9 04:18:04 cerbere sshd[11880]: Invalid user admin from 212.34.154.72
Apr 9 04:18:33 cerbere sshd[11883]: Invalid user admin from 202.82.25.161
Apr 9 04:19:14 cerbere sshd[11964]: Invalid user admin from 208.70.79.110
Apr 9 04:20:01 cerbere sshd[12034]: Invalid user admin from 69.197.151.18
Apr 9 04:20:24 cerbere sshd[12065]: Invalid user admin from 220.194.54.41
Apr 9 04:21:15 cerbere sshd[12146]: Invalid user admin from 91.189.82.170
Apr 9 04:21:35 cerbere sshd[12149]: Invalid user admin from 216.45.58.210
[…]
[/quote]
J’ai fait un premier script

[code]#!/bin/sh
IP=$1
FICHIER=$2
if grep -q $IP /home/francois/message.log ; then
echo $IP deja vue
else
#grep -E “Invalid user.from.” auth20090409.log | sed -e ‘1,$s/^.from (.)$/whois \1 | grep abuse/’ | sh
ABUSE=whois $1 | grep abuse@ |sed -e's/^.*$abuse@$/\1/' | sed -e 's/ .*//' | head -n 1 | sed -e 's/"//g'
echo $IP $ABUSE
if [ ! -z $ABUSE ] ; then
date +"%c $IP $ABUSE" >> /home/francois/message.log
cat > /tmp/_message <<EOF
Hey,
This automatic mail to say that the following IP seems
to be part of a botnet. I think it’s a good thing to
warn the owner of this computer.

Regards

Mon Nom (Mon adresse email)
EOF
echo >> /tmp/_message
echo the IP: $IP >> /tmp/_message
echo >> /tmp/_message
echo The logs (time is UTC+0 time) >> /tmp/_message
echo >> /tmp/_message
grep $IP $FICHIER >> /tmp/_message
mail -s “$IP compromised” $ABUSE < /tmp/_message
fi
fi[/code]
qui envoit un message automatiquement au abuse des machines concernées.
Mais je pense qu’il faudra regrouper par abuse car
$ grep -c leaseweb.com message.log
53
Je vais me faire traiter de spammeur…

fran.b · Février 20, 2016, 7:22pm

[code]#!/bin/sh
IP=$1
FICHIER=$2
if grep -q $IP /home/francois/message.log ; then
echo $IP deja vue
else
#grep -E “Invalid user.from.” auth20090409.log | sed -e ‘1,$s/^.from (.)$/whois \1 | grep abuse/’ | sh
ABUSE=whois $1 | grep abuse@ |sed -e's/^.*$abuse@$/\1/' | sed -e 's/ .*//' | head -n 1 | sed -e 's/"//g'
echo $IP $ABUSE
if [ ! -z $ABUSE ] ; then
date +"%c $IP $ABUSE" >> /home/francois/message.log
if [ ! -f /tmp/_message.$ABUSE ] ; then
cat > /tmp/_message.$ABUSE <<EOF
Hey,
This automatic mail to say that the following IP seem
to be part of a botnet. I think it’s a good thing to
warn the owner of this computer.

Regards

Mon nom (Mon email)
EOF
echo “" >> /tmp/_message.$ABUSE
fi
echo >> /tmp/_message.$ABUSE
echo the IP: $IP >> /tmp/_message.$ABUSE
echo >> /tmp/_message.$ABUSE
echo The logs (time is UTC+0 time) >> /tmp/_message
echo >> /tmp/_message.$ABUSE
grep $IP $FICHIER >> /tmp/_message.$ABUSE
echo "” >> /tmp/_message.$ABUSE

mail -s “$IP compromised” $ABUSE < /tmp/_message

echo $ABUSE >> /tmp/message_a_envoyer

fi
fi[/code]
Pour appeler:

Quand le traitement est fini, on fait
$ cd /tmp
$ cat /tmp/message_a_envoyer | sort -u | awk ‘{print “mail -s “compromised computers” “$1” < /tmp/_message.”$1}’ | sh
$ rm /tmp/message_a_envoyer
$ rm /tmp/_message*

ReNzO_08 · Février 20, 2016, 7:22pm

une question qui me vient à l’esprit si tu utilises le port knocking est-ce que les tentatives vaines de ce genre sont logguées ou, comme le port apparait fermé pour l’intru (qui ne saisit pas la séquence qui va bien pour ouvrir le port) : ces tentatives sont bloquées en amont et donc pas logguées

fran.b · Février 20, 2016, 7:22pm

Non, avec le port knocking, les commandes ne sont pas loguées puisqu’il n’y a pas accès à sshd…